Canada Revenue Agency is following the industry standard otpauth specification, but not very precisely, which leaves room for improvement.
1 . “authenticator app”
Unfortunately, CRA is using the term “authenticator app” and is wrong here: “If you have not already downloaded a third-party authenticator app on your device … you will need to do so to use this option.”
Not true! Your platform or browser’s built-in support works just fine — without an app. I built
otpauth:// demo to demonstrate this existing support (and share best practices) but…
It’s hard to fault CRA though. While Apple’s
@rmondello
has argued (
Ricky Mondello » Twitter’s Decision to Limit SMS 2FA is Dangerous) that “authenticator apps” are not the right framing for tim